The best answer is A. Ensure the firewall data plane moves to fail-closed mode.

The key detail in this question is that the company prioritizes data confidentiality over transaction availability. In Security+ terms, when confidentiality is more important than keeping traffic flowing during a failure or security event, the preferred behavior is fail closed.

A fail-closed firewall blocks traffic if the device experiences a fault, failure, or security issue. This protects sensitive business data from being exposed or passed through an untrusted state. Even though this may interrupt business transactions, it aligns with the organization’s priority of protecting confidential information.

Why the other options are incorrect:

B. Implement a deny-all rule as the last firewall ACL rule.This is a standard firewall best practice, but it does not specifically address what should happen in case a security event occurs.

C. Prioritize business-critical application traffic through the firewall.This focuses on availability and performance, not confidentiality.

D. Configure rate limiting between the firewall interfaces.Rate limiting may help with traffic control or DoS reduction, but it does not best address the requirement to prioritize confidentiality during a security event.

From the SY0-701 perspective, when asked to choose between keeping systems available and preventing unauthorized access or data exposure, fail closed is the best security-focused answer.

The guidance focuses on attack surface reduction by eliminating unnecessary services, closing unused ports, and limiting publicly available information that attackers could leverage. Reducing the attack surface lowers the organization ' s exposure to threats and potential entry points.

Vulnerability assessments (B) identify weaknesses but do not necessarily involve active reduction measures. Tabletop exercises (C) simulate incidents, and business impact analysis (D) assesses the effects of disruptions, neither of which match the described activities.

Attack surface reduction is a core principle in Security Operations and penetration testing remediation strategies in SY0-701【6:Chapter 14†CompTIA Security+ Study Guide】.

A honeypot is a decoy system or account designed to attract attackers and detect malicious activity. Creating a user account as a trap fits this definition.

Honeytoken (A) is a decoy data element, honeynet (B) is a network of honeypots, and honeyfile (D) is a decoy file.

Honeypots are important tools in Security Operations and incident detection【6:Chapter 14†CompTIA Security+ Study Guide】

The best answer is B. Updating default credentials and applying network segmentation.

IoT devices often present increased security risk because they may have weak default settings, limited security features, and persistent network connectivity. Two of the most effective ways to reduce this risk are:

Updating default credentialsMany IoT devices come with default usernames and passwords that are widely known or easy to guess. Leaving default credentials unchanged creates a major security weakness.

Applying network segmentationSegmenting IoT devices onto a separate network or VLAN limits their ability to interact with critical corporate systems. If one device is compromised, segmentation helps contain the threat and reduces lateral movement.

Why the other options are incorrect:

A. Assigning static IP addresses to the devicesStatic IP addresses may help with management and inventory, but they do not significantly reduce the core security risk.

C. Connecting the devices to the guest Wi-Fi to prevent interactions with corporate ITThis may seem helpful, but guest Wi-Fi is typically designed for temporary user access, not secured management of business IoT systems. It is not the best practice compared with a properly segmented and controlled IoT network.

D. Allowing the vendor to have remote access for day-to-day managementRoutine vendor remote access can increase risk if not tightly controlled. Third-party access should be limited, monitored, and secured, not broadly allowed as a default control.

From the SY0-701 perspective, IoT security commonly emphasizes changing insecure defaults, restricting access, segmentation, and reducing exposure. Therefore, B is the strongest and most complete answer.

IPSec is a protocol suite that provides secure communication over IP networks. IPSec can be used to create virtual private networks (VPNs) that encrypt and authenticate the data exchanged between two or more parties. IPSec can also provide data integrity, confidentiality, replay protection, and access control. A security consultant can use IPSec to gain secure, remote access to a client environment by establishing a VPN tunnel with the client’s network. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 8: Secure Protocols and Services, page 385 1

Virtualization (D)allows multiple systems and services to be hosted onfewer physical machines, therebyreducing the total number of physical devicesand consequently thehardware attack surface. This also allows for better patching, monitoring, and control.

The fewer devices you manage physically, the fewer entry points there are for attackers to exploit hardware-level vulnerabilities.

AnEndpoint Detection and Response (EDR)solution is designed tomonitor, detect, and respond to security incidents on endpoints (such as workstations and servers). Itcollects and analyzes data, detecting suspicious activity and forwarding relevant information for further investigation.

Network Access Control (NAC) (A)enforces network access policies but does not analyze security threats on hosts.

Intrusion Prevention Systems (IPS) (B)detect and block network threats but do not provide deep endpoint analytics.

Security Information and Event Management (SIEM) (C)aggregates logs and provides security analytics but lacks direct endpoint detection and response capabilities.

EDR is the best choicefor analyzing and responding to endpoint security incidents.

Jailbreaking is the process of removing the restrictions imposed by the manufacturer or carrier on a mobile device, such as an iPhone or iPad. Jailbreaking allows users to install unauthorized applications, modify system settings, and access root privileges. However, jailbreaking also exposes the device to potential security risks, such as malware, spyware, unauthorized access, data loss, and voided warranty. Therefore, an organization may prohibit employees from jailbreaking their mobile devices to prevent these vulnerabilities and protect the corporate data and network. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 10: Mobile Device Security, page 507 2

The best answer is C. EDR logs.

EDR (Endpoint Detection and Response) tools are designed to monitor endpoint activity in detail, including process execution, command-line usage, script activity, file changes, persistence attempts, and suspicious behavior. Since the incident involves a PowerShell script, EDR logs are the most useful source for identifying whether the script attempted to compromise the system.

PowerShell is commonly abused by attackers for fileless malware, persistence, lateral movement, downloading payloads, and privilege escalation. EDR can capture this kind of endpoint-level behavior much more effectively than general network logs.

Why the other options are incorrect:

A. SNMP logsSNMP is mainly used for network device monitoring and management, not detailed endpoint script execution analysis.

B. Firewall logsFirewall logs can show allowed or blocked traffic, but they usually do not provide deep visibility into local PowerShell execution or endpoint compromise attempts.

D. IPS logsAn IPS may detect known malicious traffic patterns, but it is focused on network-based activity. It is not the best source for detailed analysis of a PowerShell script running on a host.

From a Security+ standpoint, when analyzing suspicious scripts or endpoint behavior, EDR provides the strongest visibility into actual compromise attempts.

A statement of work (SOW) is a document that defines the scope, objectives, deliverables, timeline, and costs of a project or service. It typically includes an estimate of the number of hours required to complete the engagement, as well as the roles and responsibilities of the parties involved. A SOW is often used for penetration testing projects to ensure that both the client and the vendor have a clear and mutual understanding of what is expected and how the work will be performed. A business partnership agreement (BPA), a service level agreement (SLA), and a non-disclosure agreement (NDA) are different types of contracts that may be related to apenetration testing project, but they do not include an estimate of the number of hours required to complete the engagement. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 492; What to Look For in a Penetration Testing Statement of Work?

SAE, or Simultaneous Authentication of Equals, is the correct answer. SAE is used with WPA3- Personal and replaces the weaker pre-shared key exchange approach used in earlier WPA versions. Its major security benefit is resistance to offline dictionary and brute-force attacks after over-the-air capture. With older WPA/WPA2-PSK handshakes, an attacker could capture the handshake and repeatedly test guessed passwords offline. SAE changes the authentication exchange so captured traffic is not useful in the same way for mass offline guessing. WIPS can detect or prevent wireless intrusions, but it does not directly strengthen the password authentication exchange. SSO is an identity convenience mechanism, and WPS is a risky setup feature historically associated with PIN brute-force weaknesses.

===============

A version control tool, such as Git, is specifically designed to track changes in code, configuration scripts, IaC templates, and deployment files. In the context of creating new virtual servers—often built using Infrastructure as Code (IaC) or automated orchestration—version control allows teams to maintain historical records, compare changes, revert mistakes, ensure code integrity, and enable collaborative development.

Security+ SY0-701 emphasizes the use of version control in secure development practices to ensure traceability, accountability, and change visibility. It supports secure DevOps workflows by ensuring that no unauthorized or insecure code modifications are introduced into production environments.

A change management ticketing system (A) documents approval requests but does not track code-level modifications. A behavioral analyzer (B) evaluates anomalous behavior, not code changes. A collaboration platform (C) enables communication but lacks code versioning capability.

Therefore, the most appropriate tool is D: Version control tool.

Push notifications offer a seamless and user-friendly method of multi-factor authentication (MFA) that can easily integrate into a user’s workflow. This method leverages employee-owned devices, like smartphones, to approve authentication requests through a push notification. It ' s convenient, quick, and doesn ' t require the user to input additional codes, making it a preferred choice for seamless integration with existing workflows.

References =

CompTIA Security+ SY0-701 Course Content: Domain 04 Security Operations​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Identity and Access Management​.